Admin using password for other users

Ian2019831 ingle 1 Reputation point
2022-01-17T23:36:58.767+00:00

Hi, thanks for reading.

I'm about to undertaker an install of some metrology software onto a measuring machine.
IT have refused to do it as they don't understand it, but obviously the task needs admin access, which I don't have.
They are however happy to remote on and type their password in when needed.

The question is, is this best practice?
Should they be blindly putting in their password without knowing the process and what it involves?
Is there anything in any standards that cover such things?

To me if a task requires admin access it should be performed by a component administrator.

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,103 questions
Windows 10 Network
Windows 10 Network
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Network: A group of devices that communicate either wirelessly or via a physical connection.
2,270 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Dave Patrick 426.1K Reputation points MVP
    2022-01-17T23:59:09.657+00:00

    There's really no standard practice. It's more a preference determined by the company policy or an administrative policy.

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  2. MotoX80 31,571 Reputation points
    2022-01-18T00:18:21.467+00:00

    For the server team that I was on, we would temporarily add your AD account to the Administrators group on the PC/server. Then let you do whatever you needed to do to get the software installed and configured. There was no way that I was going to let you use my AD credentials to do that because that would require that I watch everything that you did. We would then remove your account from the administrators' group when you were done.

    I think a lot depends on how many servers and applications your organization has, how much the server team trusts the application team, and how many times the server guys have to rebuild a machine because the app guy was playing with Powershell and deleted almost everything in Windows\System32. (He did it twice before I revoked his access.)

    We just didn't have the manpower to install all of the applications on the number of servers we had. On many servers the application team, or a small subset of "guys that we trust", had permanent admin access. It was their app to support and if they messed up, they had to answer to the managers and explain what happened.

    As DSPatrick mentioned, it all depends on your organization's policies. Good luck.

    0 comments No comments

  3. Limitless Technology 39,341 Reputation points
    2022-01-18T13:52:05.55+00:00

    Hello @Ian2019831 ingle

    Maybe this would be a question for a forum related to cybersecurity or compliance, but I would give my best shot.

    My answer would be "depends". First of all, in a perfect world, any software running in the domain/network needs to be approved by IT. To be approved, they would need to understand and test it. And then, they would be able install it. They may still need an experience user to configure it or manage it, but not to install.

    On the other hand, depending on the security measures of the company, may be safe to type in credentials on a UAC type screen as this credentials can't be carried over to other operations. At the same time, security measures may help to track or protect from the abuse of that credentials.

    What it should be forbidden is to open a CMD, POWERSHELL or other shell such as File Explorer or Edge/IE where the admin permission can be carried over for any operation running on that shell. In case needed, IT should keep in remote session as witness of what the user completes, and ensure that the shell windows are closed (sometimes pushing a forced reboot remotely)

    Hope this helps with your query,

    -----------

    --If the reply is helpful, please Upvote and Accept as answer--

    0 comments No comments